You’re probably unknowingly breaking laws online thanks to the CFAA

The tragic death of Internet activist Aaron Swartz, who killed himself last Friday amidst prosecution for downloading 4.8 million academic articles from JSTOR, has brought one of the primary U.S. computer crime laws under intense public scrutiny. Known as the Computer Fraud and Abuse Act, or CFAA, the law was the basis for 11 of the 13 felony charges against Swartz, who faced more than three decades in prison and a potential $1 million fine for his actions. Some of these CFAA-related charges partially stem from the fact that Swartz violated JSTOR’s Terms of Service – you know, the type of absurdly long document we all agree to but never read.

If Swartz could be charged with nearly a dozen felonies for violating a ToS, does that mean anyone who violates such terms could be charged with federal crimes?

What is the CFAA?

Enacted in 1986 as an amendment to the Counterfeit Access Device and Abuse Act, the CFAA makes it illegal to do a whole bunch of stuff related to computers and computer networks, from stealing government documents and committing fraud to sending out spam emails. It’s an extremely broad law, which means a lot of activities can get pushed under its umbrella by federal prosecutors. And it’s been amended so many times that it’s completely unruly.

Why the CFAA is problematic

Much of this breadth is due to the fact that the CFAA prohibits anyone from accessing a computer “without authorization” or by “exceeding authorized access” for certain purposes, which includes attempts to “obtain information” from a “protected computer” if doing so includes “interstate or foreign … communication”.

Now, this probably sounds like a bunch of legal blather – and it is – but it is legal blather that could potentially affect anyone who uses the Web. Here’s why:

“Without authorization”

While the CFAA does explicitly define what a computer is (“an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device”) it does not define what “authorization” means. And that’s a big problem; because of this, prosecutors can (and have) interpreted this to mean that violations of a website’s Terms of Service are tantamount to accessing that website’s computers “without authorization.”

“Obtain information”

“Obtaining information” could mean a whole swath of things, from downloading top-secret nuclear launch codes to loading a Web page. And again, this legalese could be used to argue that someone has violated the CFAA, and has therefore committed a felony.

“Interstate or foreign communication”

You are almost certainly engaging in “interstate or foreign communication” by reading this article, since Digital Trends’ servers are probably not in the same state (or country) where you live. In other words, using the Internet is, almost by definition, “interstate or foreign communication” with a computer.

“Protected computer”

A “protected computer” under the CFAA is any computer that is connected to a government network, or is used for “interstate or foreign commerce or communication.” So if the computer is connected to the Internet, it is “protected.”

How CFAA applies to Terms of Service

Okay, so now that we’ve sifted through the most troubling parts of the CFAA, let’s look at how this applies to websites’ Terms of Service.

Every website you go to, every social network you’ve joined, every Internet-connected service you use has a Terms of Services that you had to agree to before using it. Even your Internet service provider has a Terms of Service. And chances are you didn’t read any of them.

Having read through quite a few myself, however, I know that many of them include a big list of rules – things you can’t do, or ways in which you are expected to conduct yourself. For example, most websites – including behemoths like Google – prohibit access by people under the age of 13. On Facebook, users are barred from using pseudonyms, or doing anything “misleading.” Many websites prohibit the posting of sexually suggestive content, or “harassing” anyone.

If a prosecutor so chooses, she can use the CFAA to argue that anyone who violates a Terms of Service is committing a felony. That means every 12-year-old who uses Google Search (or Facebook, for that matter) could technically be targeted under CFAA.

Case in point

This argument was made most famously in United States v. Drew – a case you’ve probably heard of even if it doesn’t ring a bell. In this case, defendant Lori Drew was accused of violating the CFAA when she made a fake MySpace profile, and used it to torment one of her teenage daughter’s enemies. The girl Drew was bullying, 13-year-old Megan Meir, eventually, tragically, took her own life. Prosecutors argued that Drew’s MySpace communications led to her suicide. Drew was later convicted of a misdemeanor violation of the CFAA.

A judge eventually vacated Drew’s conviction, arguing that it was inappropriate to interpret the CFAA. “But other criminal defendants haven’t been so lucky,” writes Marcia Hofmann, staff attorney for the Electronic Frontier Foundation. Hofmann points to AT&T “iPad hacker” Andrew Auernheimer, who was recently convicted under the CFAA for his role in downloading more than 120,000 email addresses of iPad users that AT&T had left unsecured on its network. (He plans to appeal the conviction.)

“It’s possible that Auernheimer’s unsympathetic reputation as an Internet troll played a role in the government’s decision to indict him,” writes Hofmann. “And the CFAA’s vague and over-broad language gave the jury an excuse to punish someone who didn’t carry out anything remotely resembling a serious computer intrusion, even though that’s the concern that caused Congress to criminalize ‘unauthorized’ access in the first place.”

Will you go to jail for violating a Terms of Service?

Not likely. History shows us that you really have to do more than just use a fake name on Facebook to have the feds pounding down your door.That said, the cases against Swartz, Drew, Auernheimer, and many others proves that you could be targeted, if the federal government views you as a threat. And being able to use CFAA to take down undesirables is a power the U.S. Department of Justice desperately wants to have (PDF).

Relief on the horizon

The death of Swartz has spurred Washington politicians into tackling the absurdity that is the CFAA. Earlier this week, Rep. Zoe Lofgren (D-CA) announced plans to introduce a bill (PDF) that would change the CFAA to explicitly decriminalize Terms of Service violations. But until that bill is signed into law – and there’s no good reason at this point to believe it will – I’d make sure to give those Terms of Service a read before you click “agree.”